11 tips for protecting your privacy and digital security in the age of Trump

As of January 20, Donald Trump is the president of the United States, which has prompted deep concerns from many over the constraints his administration may place on our ability to connect, express, and spread information safely.

Trump, a longstanding adversary of the free press, has expressed support for expanded surveillance powers, insulted and blacklisted both individual journalists and entire news organizations, selected an Attorney General appointee who actively eschews commitments to protecting a free press, and has called for leak investigations that would ensnare both sources and journalists. If these comments and actions are any indication, both the press and ordinary citizens may be forced more than ever before to use technology to keep their communications safe.

Below, we present eleven digital security tips you can implement today to help you better protect yourself, your fellow journalists, and your sources when communicating on your phone or computer.

We expect the threats will change in the coming years. These tips represent strong security standards right now, and we pledge to stay on top of any changes in the future.

1. Start with threat modeling

There is no one-size-fits-all formula for digital security. Perfect security simply does not exist, but there are plenty of ways to better protect yourself depending on the situation. Just as each individual has a unique digital life, each individual has a unique threat model — a concept used to describe an amalgam of risks that threaten an individual’s privacy and security. It is not a static concept, rather it changes according to conscious choices you make, as well as technical, social, and political changes beyond your control.

Threat modeling allows you to identify who you are worried about, locate potential security vulnerabilities in your current practices, and take stock of the assets you wish to protect. You can begin thinking about your threat model by asking yourself: What information do I have to protect? Who am I protecting this information from? How far am I willing to go to protect said information?

Remember to install updates on your devices whenever they are available. Typically updates are sent out by developers to patch vulnerabilities in software that threaten privacy and security. Updating your software can often be easily done with one click, and is one of the best ways to protect yourself from being hacked.

3. Check your app permissions

As a mobile device is as much of an asset to journalists and activists as it is a liability, always check an application’s permissions before you download any piece of software on your phone. A game you play on your commute, for example, has no business knowing your location data at all times. Limiting your phone’s ability to track you is key to maintaining your privacy on-the-move.

You can find app permissions on the iPhone in the “Privacy” menu of “Settings.” There, you can see which applications have requested access to your devices critical resources, and grant or revoke that access accordingly.

OnAndroid, you can check individual permissions in your application menu by dragging an application icon upwards to reveal its “App Info.” From there, click on “App Permissions” to toggle what permissions you are comfortable granting the app.

Creating passwords with a long and random string of digits, letters, punctuation or words is ideal, but are often hard to remember. To simplify making a complex and memorable password, consider adopting a passphrase instead. We’ve come up with a guide to help you think about what passphrase is appropriate given the use case.

Remember: do not reuse passwords across multiple sites. You’ve no doubt heard of the millions of compromised accounts leaked in high-profile data breaches. Once an account is compromised in an attack, it is often posted online for a host of bad actors to try out your credentials on more damaging accounts, like your bank or email. Ensuring you use a unique password for each account will leave you less vulnerable to a subsequent attack after compromise.

5. Use a password manager

Not sure how you’ll remember all your new, complex passwords, or don’t trust yourself to create them? Password managers make the process of generating unique passwords and rotating credentials on a regular basis streamlined and systematized. You can use a single passphrase on your password manager, and then store, generate, and fill out dozens of other credentials for various sites for you. That way, you won’t even have to worry about remembering it because it will be stored in your password manager.

There are some great online and offline password managers on the market today. Online password managers like 1Password and LastPass offer user-friendly options for those interested in accessing their credentials through a browser. For those inclined to an offline version, open source alternative KeePassX stores your credentials in a local, encrypted file on your desktop.

6. Enable 2-factor authentication on all your accounts

Adding an additional layer of authentication to your accounts mitigates the threat of account compromise. With 2-factor authentication (2FA) enabled, attackers won’t be able to able to gain access to your account, even if they know your username and password.

Depending on the service, you can enable 2FA through voice call, SMS, software, or hardware token. For example, if you are using Gmail, the first time you sign in with your password, Google will send a short code to your phone that you will then type in to confirm that it is, in fact, you who is trying to access your account.

While it is certainly better than not having 2FA enabled, authentication through call or SMS can be vulnerable to interception by a sophisticated adversary through a man-in-the-middle attack, as well as access to your voicemail or mobile carrier account. Software like Google’s Authenticator, Authy, or Duo allow you to link an offline, time-based code generator to your mobile device and are more secure than text-based 2FA schemes. Hardware tokens like Yubico’s Yubikey are even more secure, make phishing attempts almost impossible to pull off as authentication codes can only be used by the site you're trying to log into.

If you want instructions on how to set up 2FA on your various accounts, twofactorauth.org is a helpful resource to get you set up with 2FA across any service that provides the option.

Signal is widely considered the most secure messaging app for calls and texts and you can download it on Android, iPhone, and sync it to a desktop application. Messaging apps like WhatsApp, Wire, and CryptoCat already followed Signal’s example and rolled out its encryption protocol in their applications and it is turned on by default.

8. Encrypt your hard drive and phone

If you have sensitive data stored on your mobile phone or desktop, your first line of defense against that information finding its way into the wrong hands is through device encryption.

While not necessarily advisable, sometimes we must attend controversial events or cross borders with our personal devices. If you are traveling or attending a protest with your personal device and fear it may be confiscated or tampered with, authorities will not be able to access your sensitive data if you:

1. Encrypt your device; 2. Lock it with a complex passphrase; and 3. Turn it off.

9. Choose the right web browser and security settings

In addition to the data that you store on your local devices, you also transmit data while you are browsing and communicating on the web. Configuring your browser to your security and privacy needs is essential to taking control of your data-in-transit — you can get started by routinely deleting your browsing history, electing to use browsers like privacy-forward Mozilla Firefox or security-minded Google Chrome, and managing your browser settings and plugins. Here, for example, are great instructions on how to adjust your Google Chrome settings to be more secure.

If anonymous browsing is what you seek, consider using the Tor Browser, with the caveat that in certain circumstances it can be risky to use the software. Worried about being identified as a Tor user by your internet service provider? Fire up a trusted Virtual Private Network (VPN) before you connect — that way only your VPN provider knows you’re connecting to the Tor network.

Not all VPNs are created equal, so selecting the right VPN for your threat model requires nuance and research. Always look for a VPN provider that promises a short data retention policy — aim for no logging whatsoever — and the option for a “kill switch” — a feature that directs your computer to disconnect from the internet when your VPN connection is interrupted. It’s important, too, to look into the protocol your VPN provider uses to establish a connection between your device and its server. Aim for a protocol that is open source (like OpenVPN), or robust when properly implemented (like IPSEC). Avoid a protocol that has known security vulnerabilities (like PPTP).

Finally, avoid free VPN providers, as selling your traffic data is likely how the company is turning a profit! While a VPN can be a helpful tool to protect you from traffic snoopers, using one does not promise perfect anonymity.

11. Detect and prevent phishing attempts

Finally, you can throw as much software at your threats as you want, but privacy and security is still contingent on human error. If you get hacked, all the encryption in the world won’t protect you. Oftentimes the origin of a hack can be traced back to an individual clicking on a malicious link or unknowingly downloading malware from an email — such attacks are called phishing. For example, this is how Hillary Clinton’s campaign manager John Podesta had all of his emails stolen.